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Use of Digital Footprints in Identifying Potential Mule Network 





With the increasing use of digital channels by customers to access banking products and services, their online / mobile footprint 


is an essential element to analyze and trace any suspicious behavior/pattern. 


The 2 cases are related to identification of potential mule network used for frauds/deceptions by analyzing customers’ digital 


footprints. 


Case 1 — IP Address 


1. OBSERVATIONS 


Increase in STRs related to fraud/ deception Investigation-led 


Majority of STR subjects are new-to-bank (NTB) individual Approach 


customers holding Taiwan /D/passport 





2. COMMONALITIES 


Some common indicators are noted on demographics and transactional pattern of the targeted customers. 


Y Correspondence address is non-residential building in HK, which some v New banking relationship established within 1-3 months 


are commonly shared 
y y Small amount of test fund movements among accounts 


y Enrolled a number of external payees, some of whom are commonly 


eer yY Rapid movement of funds — Unrelated 3" party fund deposits, 


followed by immediate transfer out to other 3 parties 
Unusual email address (with random characters), some of which are 


v Transfer out to external common beneficiaries 
commonly shared 


Declared not working or living in HK, but provided only HK contact 
channels — mailing address and only one HK mobile number 
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3. IP Address Analysis 


Extract IP address of online/mobile banking login, dates, time and location. 
Identify linkage among the targeted customers through analysis. 
Noted that numerous attempts to access online banking shortly after the accounts were open. 
Findings include: 
i. Common IP addresses used by the targeted group 
ii. | Same IP address used by different customers on the same day within proximate timeframe 


iii. Same customer login at multiple jurisdictions on the same day 














ii. Same IP Address Used by 7 Customers iii. Same Customer Login at Different Locations 
i. Top 5 Common IP Addresses | Customer |Logi a 
, - SUS) EEA AE 213 CUHA  **3.7*.22*.2*8 China 3/19/2020 10:17 
Refit | IP Address Count of using IP CU#1 4/3/2020 15:21 1*.2*.*13 
z CUHA  **3.7*.22*.2*8 China 3/19/2020 10:48 
1 1*.2*.*1.3 China 174 CU#1 4/8/2020 17:07 1*.2*.*1.3 : 
3 GET ET aes 7E Cu#1 4/8/2020. 18:13 1#9**13 CUHA  **3.7*.22*.2*8 China 3/19/2020 11:29 
3 1*3.3*6*15 China 36 CU# 2 4/8/2020 12:22 1*.2*.*1.3 CUHA **3.7*.22*.2*8 China 3/19/2020 12:45 
. * * k aK * * * i . 
4 10*.*4.1*5.5 Taiwan 34 ae TAT en Lans CU# A 3.7*.22*.2*8 China 3/19/2020 14:19 
: ‘ 2k 1, CUHA  **3.7*.22*.2*8 China 3/19/2020 15:38 
3 PROI anaes China 29 CU#2 4/8/2020 18:10 1*.2*.*1.3 Ey 


CUHA eto. P2208 China 3/19/2020 17:00 


CU# 3 4/8/2020 9:59 1*.2*.*1.3 . — - 

ane 4/8/2020 15:54 TEC CU#A 9.10.7*.20 Taiwan 3/19/2020 17:04 

CU# 3 4/8/2020 16:57 1*.2*.*1.3 CUHA *9.10:7*.20* Taiwan 3/19/2020 17:26 

CU#3 4/3/2020 18:52 1*.2*.*1.3 CU#A *9,10.7*.20* | Taiwan 3/19/2020 17:31 

CU# 4 4/3/2020 17:39 12> 713 CU#A  **3.7*.22*.2*8 China 3/19/2020 18:22 

CUHS 4/8/2020 11:44 1*.2*.*1.3 

CU#5 4/8/2020 12:31 142+ #13 IP Address 

cU#5 4/3/2020 15:22 1*.2*.*1.3 CU#B  1*2.6*.18*.2*8 India 4/3/2020 9:42 

CU#5 4/8/2020 17:08 1%.2*.*1.3 CU#B  *18.*3.3*.49 China 4/3/2020 10:41 
. * ** 

Sue ae 2020) 5 SSH cat CU#B 10*.*4.1*5.5 | Taiwan 4/3/2020 12:10 

CU# 6 4/8/2020 17:34 1*.2*.*1.3 — - 

aE 4/8/2020 18:23 Tee CU#B 18.*3.3*.49 China 4/3/2020 13:14 


CU#7 4/8/2020 10:56 1*.2*.*1.3 CU#B 1 De F453 China 4/3/2020 14:19 
CU#7 4/8/2020 17:47 172" 71.3 CU#B 410.1578 India 4/3/2020 15:53 
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4. Analysis Results 


~50 customers were included in the targeted analysis with risk indicators. 


Based on the IP address analysis, these accounts may not be controlled by the actual account holders. 





Together with the commonalities observed on their demographics and transaction pattern, it is believed that there is possibly a 
syndicate operating “behind the scene” to control these mule accounts. 


5. Additional Review 
Conduct a sweep on new Taiwanese customers who opened accounts within 6 
months with the common risk indicators. 


12 more suspicious customers were identified with similar background, pattern 
and IP address usage. 


6. Risk Mitigating Actions 


e Determine a proper account strategy on related accounts / 
customers 
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Case 2 — Device ID 

e This case demonstrates the effective use of detecting unusual Device ID behavior followed by enhanced analysis to reveal 
suspicious accounts in a potential mule network. 

e Strong internal collaboration between the Fraud and AML teams within the bank, and external public private partnership with the 
Law Enforcement Agency (LEA). 





> 
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O Findings: 
` e The Device ID used by Customer A was found to be the same as that used by a prior STR subject, who was a suspect of a telephone deception case, 
as informed by LEA. 





e Frequent online banking logins at different IP locations (Guangzhou, Kwun Tong, Aberdeen, Macau, Shenzhen and Hubei). 
e Account activities of Customer A were unusual: 


> Frequent small amount “test fund” transactions with different parties, followed by large amount transactions. 
> Rapid movement of funds in a temporary repository pattern 
> Share some common counterparties with prior STR subject 


e Intelligence from LEA indicated Customer A was involved in a telephone deception case. 


O Enhanced Review: 
r e More customers were found to have used the same Device ID as Customer A. 
e Their transactional activities also revealed linkage with other customers. 
e Some common counterparties and payee registration setup 


e Other Commonalities: 


x 


* 


HKID card holders, local individual customers 


2e 


* 


New customers with banking relationship < 1 year 


2e 


* 


Residential address in public housing estates 


x 


* 


No solid occupation — declared as unemployed, housewife, retired, self-employed or blue-collar work 


= Case Disposition: 


22 customers were uncovered to have ‘linkages’ — common Device ID and/or common counterparties/payees. 
e Intelligence from LEA revealed some of these customers’ accounts were used to deal with suspected fraudulent proceeds. 
e These observations indicate they are likely operating as mule accounts syndicate. 


e Appropriate compliance actions and account strategy on these customers were performed and formulated. 
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e Authorised institutions should consider collecting relevant data on digital footprints and 
understand the data infrastructure. 


e Work closely with law enforcement to share ideas and information. 


e Consider establishing a firm-wide Regtech taskforce to explore ideas and opportunities, and 
be prepared to accept failure when implementing new ideas (failure in one project may help 
the team understand the data infrastructure better, which in turn may foster a successful 
adoption in the following plan). 


e Support from Senior Management and Board of Directors needed, and they should be kept 
informed of industry and regulatory developments. 


e Reference materials: 
o Reser Watch Issue no. 3 on AML 





e Regtech Case Studies and Insights 





e Regtech Adoption Practice Guide 
https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2021/20210617e5a1.pdf 





